[Samba] Fwd: [EXTERNAL] Fwd: ntlm_auth and freeradius

Kees van Vloten keesvanvloten at gmail.com
Tue Apr 4 08:01:57 UTC 2023

Op 04-04-2023 om 09:45 schreef Andrew Bartlett:
> On Tue, 2023-04-04 at 09:37 +0200, Kees van Vloten wrote:
>> Op 04-04-2023 om 00:32 schreef Andrew Bartlett:
>>> On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote:
>>>> Unfortunately it's still erroring out:
>>>> (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk
>>>> (7) mschap: Client is using MS-CHAPv2
>>> Is this set as a UPN (with the realm appended) on the user?
>> In my environment (where samba + freeradius + wifi connect with 
>> machine account works), there is no UPN set on the machine account, 
>> just a set of SPNs:
>> servicePrincipalName: HOST/myhost.example.com
>> servicePrincipalName: RestrictedKrbHost/myhost.example.com
>> servicePrincipalName: HOST/MYHOST
>> servicePrincipalName: RestrictedKrbHost/BARTOK
>> servicePrincipalName: WSMAN/myhost.example.com
>> servicePrincipalName: WSMAN/myhost
>> servicePrincipalName: TERMSRV/myhost.example.com
>> servicePrincipalName: TERMSRV/MYHOST
>> One of which does match with the username in Tim's output, btw. I 
>> have seen exactly the same username format while I was setting this 
>> up around a month ago.
>> - Kees.
> So NTLM (and Kerberos client) authentication is not possible with an 
> SPN, but many folks work around it by selecting one of these and 
> having that in the UPN, eg
> userPrincipalName: HOST/myhost.example.com at example.com
> This is about the (unusual) username pattern Tim is using, you may be 
> logging in with myhost$, which would work normally.
In the end freeradius uses myhost$ to login, that is indeed what I see 
in the audit.log on the DC. Kerberos is not involved at all between the 
client-machine and the DC. It sends the machine-password to freeradius, 
which uses ntlm_auth + winbind to login, but first it transforms the 
username from the UPN into a normal username.

The logging in the Samba DC audit log looks like this:
   "timestamp": "2023-03-20T19:59:57.279079+0100",
   "type": "Authentication",
   "Authentication": {
     "version": {
       "major": 1,
       "minor": 2
     "eventId": 4624,
     "logonId": "b9ec40a5e57dae50",
     "logonType": 3,
     "status": "NT_STATUS_OK",
     "localAddress": "ipv4:",
     "remoteAddress": "ipv4:",
     "serviceDescription": "SamLogon",
     "authDescription": "network",
     "clientDomain": "example",
     "clientAccount": "myhost$",
     "workstation": "\\\\FREERDIUSHOST",
     "becameAccount": "myhost$",
     "becameDomain": "EXAMPLE",
     "becameSid": "S-1-5-21-4190054395-3643546414-2043688973-1331",
     "mappedAccount": "myhost$",
     "mappedDomain": "example",
     "netlogonComputer": "FREERDIUSHOST",
     "netlogonTrustAccount": "FREERDIUSHOST$",
     "netlogonNegotiateFlags": "0x610FFFFF",
     "netlogonSecureChannelType": 2,
     "passwordType": "MSCHAPv2",
     "duration": 2981
> Andrew Bartlett
> -- 
> Andrew Bartlett (he/him)https://samba.org/~abartlet/
> Samba Team Member (since 2001)https://samba.org
> Samba Developer, Catalyst IThttps://catalyst.net.nz/services/samba

More information about the samba mailing list